The Obama administration Thursday expelled 35 Russian diplomats and hit both Moscow’s civilian and military foreign intelligence agencies with newly authorized financial sanctions in a sweeping response to alleged Russian interference in U.S. elections.
Two Russian diplomatic compounds — one in Maryland and one in New York — also were shuttered in retaliation for the harassment of U.S. diplomats in Moscow, and two unrelated Russians accused of financial cybercrimes were sanctioned under existing powers.
Four senior intelligence officials and three nongovernment bodies were also sanctioned under new powers for their role in the election-related hacking, according to a fact sheet issued by the White House.
“These actions follow repeated private and public warnings that we have issued to the Russian government,” President Obama said in a written statement from his vacation in Hawaii.
“All Americans should be alarmed by Russia’s actions,” he said, calling them “efforts to harm U.S. interests in violation of established international norms of behavior.”
Two Russian hacker gangs were found lurking in the computer network of the Democratic National Committee earlier this year. Subsequently, emails and other documents from DNC leaders and John Podesta, a Democratic official who ran Hilary Clinton’s election campaign, were published on the web. The gang known as Fancy Bear, or APT28, has been linked to Moscow’s Main Intelligence Directorate, known as the GRU; while Cozy Bear, or Cozy Duke or APT29, has been linked to Russia’s Federal Security Service, or FSB.
The sanctions were imposed under three sets of legal authorities:
- The sanctions against against the two alleged “notorious cybercriminals,” Evgeniy Mikhailovich Bogachev and Aleksey Alekseyevich Belan, were imposed under an existing executive order, EO 13964, issued in April 2015.
- The expulsion of 35 Russian personnel and the shuttering of the two compounds were carried out under the State Department’s power to authorize foreign diplomats and their facilities.
- The sanctions against the GRU and its leadership and three of its contractors —and those against the civilian intelligence agency the FSB — were imposed under new powers asserted Thursday in an amendment to EO 13964.
According to the fact sheet, Thursday’s amendment adds “Tamper[ing] with, alter[ing], or caus[ing] a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions,” to the list of sanctionable activities under the order.
Thursday’s events capped a riotous period since the election during which the issue of Russian interference in the election — and most especially the bombshell allegation that the Kremlin tried to help president-elect Donald Trump to his victory — have become a political football.
Thursday evening, Trump reiterated his contention that the allegations were no big deal — although he refrained from dismissing or contradicting, as he has in the past, the U.S. assessment that Moscow was behind the DNC and Podesta dumps.
“It’s time for our country to move on to bigger and better things,” he said in a statement. “Nevertheless, in the interest of our country and its great people, I will meet with leaders of the intelligence community next week in order to be updated on the facts of this situation.”
The April 2015 executive order — published in response to the Thanksgiving 2014 cyberattack against Sony Pictures that was blamed on North Korean hackers — covered destructive cyberattacks and hacks against critical infrastructure as well as “significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.” This last provision was the one used against the two alleged cybercriminals.
But new powers relating to election-tampering had to be asserted because the existing EO didn’t cover it. officials explained.
“There has to be a cost and consequence for what Russia has done,” said a senior administration official, who insisted on anonymity despite speaking in a conference call with reporters arranged by the White House press office. “It was an extraordinary step for them to interfere in the democratic process here in the U.S. and there needs to be a price for that, they need to be held accountable for that … attack on our democratic system.”
The sanctions freeze any assets the sanctioned companies, agencies or people might have in the U.S. or in U.S. banks overseas, and bars any U.S. company, including banks, from doing business with them. It also bars them from entry to the U.S.
Alleged cybercriminals Bogachev and Belan are both on the FBI’s cyber most-wanted list, having first been indicted in 2012. Bogachev is accused of being the author of GameOverZeus, one of the most successful pieces of cybercrime banking malware ever written.
The expulsion of 35 Russian diplomats and the shuttering of the two recreational compounds, described by U.S. officials as “intelligence gathering facilities,” was said to be a response to a years-long campaign of harassment against U.S. diplomats in Russia.
Separately Thursday, the DHS and the FBI published what they called a Joint Analysis Report outlining some of the malware signatures, command and control infrastructure and other so-called “indicators of compromise,” that cybersecurity specialists could use to detect malicious cyber activity on their systems by Russian intelligence agencies.
Building a ‘bigger picture’
U.S. intelligence officials publicly stated in October what they said was a consensus view of the nation’s espionage agencies — that Russian intelligence services were behind the hacking. Since then, some media outlets reports have reported that the CIA has concluded the hacking was done to help Clinton’s rival, the current president-elect Donald Trump.
“What we’re asking companies to do,” said another senior official on the call, “is to go back through their logs and see if they see any indication of this activity in the past … knowledge of these historical incidents, even if the bad actors are no longer active in your system, [will help the government] build up a bigger picture.”
Officials said the GRU “is involved in external collection using human intelligence officers and a variety of technical tools, and is designated for tampering, altering, or causing a misappropriation of information with the purpose or effect of interfering with the 2016 U.S. election processes,” according to the fact sheet. The FSB “assisted the GRU in conducting the activities described above.”
Four GRU officials have been designated for sanctions under the new election-tampering powers:
- Igor Valentinovich Korobov, the current head of the GRU.
- Sergey Aleksandrovich Gizunov, deputy head of the GRU.
- Igor Olegovich Kostyukov, a first deputy chief of the GRU.
- Vladimir Stepanovich Alexseyev, also a first deputy chief of the GRU.
In addition, three other entities — two private cybersecurity companies and a nonprofit professional association — have been sanctioned:
- The Special Technology Center Ltd. “assisted the GRU in conducting signals intelligence operations,” the fact sheet states.
- Zorsecurity, a.k.a. Esage Lab, another private sector cyber company “provided the GRU with technical research and development” services. Speakers from the company have presented at several prestigious computer security conferences over the past few year.
- The Professional Association of Designers of Data Processing Systems, better known by Russian initials ANO PO KSI, “provided specialized training to the GRU.”
Esage Lab did not immediately return an email requesting comment, and neither of the other two companies could be reached for comment.
In Moscow, Russian Foreign Ministry spokeswoman Maria Zakharova said the Kremlin would make an official statement on Friday about retaliation for the new sanctions.
“Tomorrow there will be official statements, countermeasures,” Zakharova wrote on Facebook, according to state-funded Sputnik news.